diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..a0eccb90
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,32 @@
+# Security Policy
+
+If you discover a security vulnerability in bundler-audit, please report it
+privately.
+
+## Reporting A Vulnerability
+
+- Email: postmodern.mod3@gmail.com
+- Subject: "[bundler-audit] Security vulnerability report"
+
+Please include:
+
+- A clear description of the issue and impact.
+- Steps to reproduce or a proof of concept.
+- Affected versions and environment details.
+- Any suggested remediation, if known.
+
+Do not open a public GitHub issue for suspected vulnerabilities.
+
+## Encryption
+
+If you want to send encrypted details, mention this in your initial email and we
+will coordinate a secure channel.
+
+## Disclosure Process
+
+After confirmation, maintainers will:
+
+1. Acknowledge receipt.
+2. Investigate and validate the report.
+3. Prepare and release a fix.
+4. Coordinate responsible disclosure details.
diff --git a/spec/security_policy_spec.rb b/spec/security_policy_spec.rb
new file mode 100644
index 00000000..056eaa8e
--- /dev/null
+++ b/spec/security_policy_spec.rb
@@ -0,0 +1,22 @@
+require 'spec_helper'
+
+describe 'SECURITY.md' do
+  let(:path) do
+    File.expand_path(File.join(File.dirname(__FILE__), '..', 'SECURITY.md'))
+  end
+
+  let(:content) { File.read(path) }
+
+  it 'exists' do
+    expect(File.file?(path)).to be(true)
+  end
+
+  it 'contains private reporting guidance' do
+    expect(content).to include('Reporting A Vulnerability')
+    expect(content).to include('Do not open a public GitHub issue')
+  end
+
+  it 'contains a security contact channel' do
+    expect(content).to include('postmodern.mod3@gmail.com')
+  end
+end